Castlepoint CEO Rachael Greaves recently presented to the Australian Finance Industry Association (AFIA) on the topic of cyber risk.
Most organisations are focused on immediate priorities, and have a short planning horizon for cyber. Cyber doesn’t seem as immediate as the need to meet targets, respond to FOIs, or complete reporting cycles. Anything that disrupts core business is seen as too high a price to pay.
But the most serious cyber incidents have a slow burn. Threat actors can lie dormant in systems for years before striking, or can be slowly exfiltrating data without detection. For critical infrastructure, foreign state actors position themselves to cripple networks in the event of a conflict, shutting down our economy and infrastructure to weaken our defences.
Recent case studies
We discussed some recent events in the sector, and how those breaches happened:
1: Insider leak, whether malicious or accidental. This is by far the most likely. Staff already have access to systems, and are trusted to use them. This is what happened at NAB in 2019. This year the bank paid nearly $700k in compensation to affected customers.
2: Software vulnerabilities. A glitch in US financial research firm Morningstar’s systems exposed the alert profiles of KPMG executives in Australia.
3: Malicious breach. Compromise of the Accelion infrastructure affected many organisations, Reserve Banks of New Zealand, and ASIC among them.
None of these things are in the control of the day to day user, or even most Executives. It’s widely recognised that being breached is almost inevitable. If we quickly consider the many types of breach, and may types of threat actor, we can get a better picture.
Key types of threat actor
There are several different groups who perpetrate these breaches.
1: Foreign State actors. Foreign governments have a lot of capability to breach networks, and do so in order to undermine Australian national interests, as well as to steal IP. If you service so government and critical industry clients, have PII, or have unique IP, you are a potential target.
2: Criminal. Cybercriminals use hacking to extort money, or sell credentials they steal. Organised crime groups may also want to target you because of your client data, or for ransom.
3: Competitors. While usually less capable than other threat actors, competitors may be highly motivated to steal your trade secrets and IP.
4: And feeding into them all, the trusted insider. It is much more likely that someone in the company will be tricked into, or recruited into, facilitating a breach by one of the other types of threat actor. Insiders can be motivated by money, ideology, compromise, or even just ego. With work from home and churn from the labour shortage, it’s extremely hard to monitor and continuously vet our people.
Reducing the impact
We need to do what we can to reduce likelihood of a breach – but we can never completely prevent one. What we need to focus much more on is reducing the impact of a breach.
How do we do this?
The Supply Chain Principles are available on the Home Affairs website, and the very first Principle is:
Understand what needs to be protected, why it needs to be protected, and how it can be protected.
We have to know our own data, so that we can focus our efforts on the data that has the most risk.
What is this risky data?
- National security
- Sensitive personal
- Financial (PCI for example)
These are fairly easy to detect as they are consistent.
What about risks specific to your organisation? Every organisation has a unique risk profile. Different organisations have different types of risk data unique to them.
Firstly, IP. This is always unique and specific, and can’t be identified by generic pattern matching algorithms.
Secondly, core business data that is sensitive. The fact that you are doing a certain merger, or running a certain kind of project, or engaging with a certain entity, might be sensitive. But not all mergers, projects, or relationships are. It’s up to each individual business what topics you consider risky, and it’s not repeatable across organisations. Sometimes, a certain business activity will be politically sensitive to the community – knowing where that data is, and who can see it, is vital.
Finally, regulated information. This is data that, if you allow unauthorised access or use, can result in civil or criminal penalties. There are more than 500 secrecy provisions just in Commonwealth
legislation – and more apply for every jurisdiction you operate in. Secrecy provisions go beyond the usual suspects, to things you might not consider sensitive if you’re not familiar with those laws.
The way ahead
Knowing and applying regulatory rules is one of the best ways to reduce cyber risk. But how can we find all that risky data, track it, match it to the regulations and rules, and manage it compliantly?
The way to address this is with AI.
Castlepoint is a new kind of Artificial Intelligence. We register every system in an environment, in the cloud and on prem. We register every record in every system (structured or unstructured), and every file in every record, and we use Natural Language Processing to extract all the meaningful topics and entities mentioned in every item, no matter the format. We capture every event on the data, as well as all metadata.
We do all this without agents or connectors, and without moving, duplicating, or modifying data. Castlepoint provides command and control through powerful discovery, audit, and automated records management. It’s completely invisible to general users, and we are unique in managing all information, for its whole lifecyle, with no impacts.
AI makes this possible. Some of the problems we have solved this year have included:
- Finding references to potential child abuse in government databases with 99.8% accuracy
- Providing command and control over more than 56,000 systems for one organisation
- Reducing the cost of legal discovery for one agency by 97% per year.
Contact us for more information on how Castlepoint can help you manage your risk in financial services, by giving you defensible, transparent visibility of your obligations as well as your data.